Disk Encryption

1) What is a pre-boot operating system, and why is it important?

A pre-boot operating system is a small, fast, secure environment that hosts user authentication for GuardianEdge Hard Disk Encryption endpoints. This pre-boot operating system is hardened to protect against security exploits, with entry points rigidly defined to create a very small attack surface relative to the endpoint’s main operating system. It provides a highly secure environment for user authentication with features like automatic delay after a pre-defined number of incorrect password attempts, and supports user productivity with features like single sign-on to Windows.

2) What is A.E.S. Encryption and how is it used?

During installation of the GuardianEdge Hard Disk Encryption endpoint client, a unique workstation encryption key is created and securely stored on the drive. The GuardianEdge Hard Disk Encryption driver intercepts all drive read and write requests from the operating system, and uses the workstation encryption key in combination with the Advanced Encryption Standard (AES) algorithm to encrypt every block of data when Windows writes a file to the drive, and decrypt every block of data into memory when Windows reads a file from the drive. Data stored on the drive is always encrypted. GuardianEdge Hard Disk Encryption decrypts data into memory – never onto the drive! – As Windows reads a file.

3) What parts of the disk are encrypted?

By default, GuardianEdge Hard Disk Encryption encrypts every sector on the drive or partition; in other words, the entire drive. This includes temporary, swap, and hibernation files written by the operating system.

4) Can more than one disk partition be encrypted?

GuardianEdge Hard Disk Encryption can encrypt up to 26 (twenty-six) partitions on the system boot drive.

5) What happens if a computer is shut down during disk encryption?

GuardianEdge Hard Disk Encryption can encrypt up to 26 (twenty-six) partitions on the system boot drive.

6) What type of encryption is used?

The primary encryption algorithms used are the Advanced Encryption Standard (AES) in Cipher Block Chaining mode with either a 128 or 256-bit key for encrypting data on the drive, SHA-1 for generating secure “hashes” or signatures of data used in key management, and the standard IEEE P-1363 implementation of Elliptic Curve Cryptography for public/private key cryptography used in key management.

7) Is the product certified?

GuardianEdge Hard Disk Encryption is Common Criteria EAL 1 certified and is in evaluation for EAL 4 certification.

8) What it the impact of disk encryption on performance?

Users typically don’t notice the performance impact of GuardianEdge Hard Disk Encryption, which varies between 5% and 15% depending on the machine configuration and hardware. The GuardianEdge Hard Disk Encryption driver is specifically architected to run at low priority during drive or partition level encryption, so users can continue to work productively on machines that are undergoing encryption for the first time.

9) What hardware platforms and operating systems are supported?

For endpoint encryption, all of Microsoft’s current business-class endpoint operating systems are supported:

Enterprise Manageability

1) How does GuardianEdge leverage Active Directory?

GuardianEdge Hard Disk Encryption is a component of the GuardianEdge Data Protection Platform. The GuardianEdge Data Protection Platform has the most extensive Active Directory integration of data protection products on the market today. The points of integration into Active Directory include:

MMC interface - The GuardianEdge Management Console uses a native MMC interface, already familiar to administrators for managing email and systems and allowing them to be immediately effective with minimal training.

Microsoft GPO policy control - Policies can be deployed to all levels of the Active Directory hierarchy, including domains, sites, OUs, and groups. This Active Directory hierarchy is natively available through GuardianEdge Manager, and no LDAP synch is required to periodically update it.

Active Directory role based administration - The GuardianEdge Data Platform uses Active Directory’s powerful role-based capabilities. Administrators can be limited to specific functions, such as creating MSI files or viewing monitored data, within the GuardianEdge Management Console. Additionally, administrators can only be allowed to deploy GuardianEdge policies to a specific domain, site, OU, or group.

Active Directory’s Resultant Set of Policies (RSoP) can be used to determine the winning GuardianEdge policy on an endpoint.

2) What administrative roles are included with the solution?

Four administrative roles are included, three for the server and management console and one for local endpoint administration:

The Hard Disk Encryption Administrator is responsible for the installation, configuration and maintenance of the GuardianEdge Hard Disk Encryption server and management console, and for the creation and deployment of client installer packages.

Hard Disk Encryption Policy Administrators are responsible for creating and deploying Microsoft Group Policy Objects (GPO) through the Active Directory snap-in within the GuardianEdge management console. These group policy objects control the security profile for groups of machines protected by GuardianEdge Hard Disk Encryption.

One Time Password administration is typically assigned to Help Desk personnel, who provide assistance to users who have forgotten or lost their password or PIN.

Client Administrators are provisioned by the Hard Disk Encryption Administrator or Policy Administrator, and have special privileges for local administration of endpoints protected by GuardianEdge Hard Disk Encryption.

3) How hard is it to provision hard disk encryption to endpoints?

It’s simple and easy! Client installer packages come in the standard MSI format, and can be deployed to endpoints through Active Directory group policy or any standard enterprise software provisioning tool such as SMS, Tivoli or Altiris. Silent installation is supported to help make the end user experience seamless and transparent.

4) How are software updates installed?

Software updates for both the GuardianEdge Hard Disk Encryption server and endpoint clients come in the standard MSI format, making it easy to deploy updates using standard enterprise software provisioning tools. Updates can be installed at any time, and never require un-installation of previous versions or decryption of endpoint data.

5) How are disk encryption policies set and changed?

Endpoint disk encryption policies are controlled through Microsoft Active Directory Group Policy Objects (GPO). The GuardianEdge Hard Disk Encryption management console includes a group policy snap-in that interfaces with Active Directory. Policies created by the Hard Disk Encryption Policy Administrator can be deployed at any level of granularity within the Active Directory tree, from all machines within an Active Directory forest to any organizational unit - even to a single machine.

6) Is GuardianEdge disk encryption able to handle thousands of endpoints?

Yes. The server management infrastructure leverages both Active Directory and Active Directory Application Mode (ADAM) from Microsoft, ensuring robust management and reporting capability that scale to virtually all enterprise deployment requirements. GuardianEdge can provide references to enterprise customers who protect tens of thousands of their endpoints with hard disk encryption.

User Authentication

1) How do users authenticate to encrypted endpoints?

GuardianEdge Hard Disk Encryption supports both password and token or smartcard authentication for endpoint users. Single sign-on is supported for both authentication methods, enabling endpoint users to authenticate to GuardianEdge Hard Disk Encryption pre-boot authentication and Windows using a single set of credentials. For password users with single sign-on enabled, user authentication credentials consist of their Windows logon name, Active Directory domain, and password. For token or smartcard users, their credentials consist of their Windows logon name, Active Directory domain, the physical token, and their token PIN.

2) Is strong two-factor authentication supported?

GuardianEdge Hard Disk Encryption supports tokens and smartcards with X.509 digital certificates during pre-boot authentication, including tokens and smartcards certified to be compliant with the U.S. Department of Defense Common Access Card (CAC) standard.

3) Do users have to remember multiple passwords?

No. With GuardianEdge Hard Disk Encryption’s single sign-on feature, users provide their normal Windows credentials once and GuardianEdge Hard Disk Encryption automatically and securely passes those credentials to the Windows logon process after authenticating in pre-boot. GuardianEdge Hard Disk Encryption can be configured to require two separate user passwords – one for pre-boot authentication and one for Windows authentication – but most customers prefer to deploy with the GuardianEdge Hard Disk Encryption single sign-on feature enabled.

4) What happens when a user’s Windows password changes?

With single sign-on enabled, GuardianEdge Hard Disk Encryption automatically receives notice of changes to the user’s Windows password from the Windows GINA or Credentials Manager. It automatically updates any change with pre-boot authentication, ensuring that the user’s password remains in sync for both pre-boot and Windows authentication.

End User Experience

1) Do users have to stop working while their disk is being encrypted?

No. The GuardianEdge Hard Disk Encryption driver runs at a low priority in the background during disk or partition level encryption, so users can continue to use their machines productively while data on the hard drive is being encrypted for the first time.

2) What happens if power is lost during disk encryption?

Power loss protection is *always* enabled during disk or partition level encryption. The GuardianEdge Hard Disk Encryption driver maintains the state of disk encryption and, if power is lost, will automatically resume encryption where it left off when power is restored.

3) How easy is it for a user to set up an account?

It’s as easy as logging on to Windows! When a user logs on to Windows after GuardianEdge Hard Disk Encryption has been installed on their endpoint, a simple dialog prompts them to become a registered GuardianEdge Hard Disk Encryption user. All they have to do is reply “Yes” to the dialog, and the GuardianEdge Hard Disk Encryption registration process sets up their account for them.

4) Will users notice changes to system performance because of encryption?

Users typically don’t notice the performance impact of GuardianEdge Hard Disk Encryption, which varies between 5% and 15% depending on the machine configuration and hardware. The GuardianEdge Hard Disk Encryption driver is specifically architected to run at low priority during drive or partition level encryption, so users can continue to work productively on machines that are undergoing encryption for the first time.

5) Can more than one user log on to an encrypted endpoint?

Yes. GuardianEdge Hard Disk Encryption endpoints can be configured through policy to support up to 50 user accounts and 50 administrator accounts.

6) What happens when a user forgets their password or PIN?

GuardianEdge Hard Disk Encryption provides both self-help and Help Desk-assisted recovery for users who forget their password or PIN. Authenti-Check™ is a self-help, challenge and response feature that enables users to recover access to their machines through a combination of questions and answers that were defined during the user’s GuardianEdge Hard Disk Encryption registration process. Authenti-Check provides secure recovery without involving Help Desk or other administrative personnel, reducing the TCO for a GuardianEdge Hard Disk Encryption deployment. One Time Password is a Help Disk-assisted recovery feature that enables user to recover access to their machines even if they’ve forgotten their password or PIN and the answers to their Authenti-Check questions. One Time Password uses a secure challenge and response system based on public/private key cryptography to provide a user with one-time access to their machine.

Integration with Network Environment

1) Can IT administrators push out patches to encrypted endpoints?

Yes. GuardianEdge Hard Disk Encryption supports remote machine administration or “Wake on LAN”. Through policy, administrators can establish a window of time during which machines will re-boot without requiring pre-boot authentication, and also specify the number of times the machine can re-boot before pre-boot authentication is reactivated.

2) Is encryption compatible with anti-virus products?

Yes. GuardianEdge tests its endpoint data encryption products with current anti-virus solutions to ensure that they are compatible with typical enterprise deployments.

Yes. Close integration with Microsoft Active Directory is a key component of the GuardianEdge Hard Disk Encryption solution. Security policies for GuardianEdge Hard Disk Encryption endpoints are controlled through Microsoft Group Policy Objects (GPO), and creation and deployment of GuardianEdge Hard Disk Encryption policies is leveraged within the GuardianEdge management console through an MMC snap-in to Active Directory group policy management. The GuardianEdge server is based on Active Directory Application Mode, a lightweight version of Active Directory that provides scaling and enterprise administration options comparable to that of Active Directory, and enables extensions to the Active Directory schema without modifying the enterprise AD schema.

Virtually all office productivity applications are compatible with full disk encryption. The GuardianEdge Hard Disk Encryption driver sits at a software layer well below these applications. Both encryption of data written to the disk and decryption of data read from the disk are completely transparent to the Windows software application layer.

6) Are 3rd party disk forensics supported?

Yes. GuardianEdge and Guidance Software have integrated their solutions with the EnCase Forensic product from GuidanceSoftware, an industry leading computer forensic investigation tool. The EnCase Forensic product is compatible with GuardianEdge Hard Disk Encryption, and provides comprehensive computer forensic investigation for disks encrypted by GuardianEdge Hard Disk Encryption. Note that the customer must supply valid GuardianEdge Hard Disk Encryption administrative credentials in order for EnCase to be able to access encrypted data on the disk.

Key Management

1) Is a PKI infrastructure required to support your product?

No. GuardianEdge has implemented its own robust, secure public/private key infrastructure within the Hard Disk Encryption product for key escrow and recovery. For customers who have deployed PKI solutions within their enterprise, GuardianEdge Hard Disk Encryption is fully compatible with Windows authentication methods required by these solutions including two-factor authentication.

2) How are the encryption keys for an encrypted machine protected?

Encryption keys are generated by GuardianEdge Hard Disk Encryption’s FIPS 140-2 validated pseudo-random number generator and are unique to each endpoint. These keys are encrypted with public keys derived from user and administrator credentials applied to the Elliptic Curve Cryptography public/private key pair algorithm and securely stored within the GuardianEdge Hard Disk Encryption pre-boot environment, ensuring that the disk encryption keys can only be unlocked through valid user or administrator authentication.

3) Can administrators gain emergency access to encrypted machines?

GuardianEdge Hard Disk Encryption ensures that at least one valid administrative account is always provisioned to each machine. A comprehensive set of utilities is provided with the solution that allow administrative accounts to remove existing registered users from a machine, add new users to a machine, or quickly and securely recover data from encrypted machines when user account information is lost or missing.

4) What is the role of the IT help desk in assisting users with key recovery?

One Time Password is a Help Disk-assisted recovery feature that enables user to recover access to their machines even if they’ve forgotten their password or PIN and the answers to their Authenti-Check questions. One Time Password uses a secure challenge and response system based on public/private key cryptography to provide a user with one-time access to their machine.

5) Is password or access recovery supported even when the endpoint is off the network?

Yes. Both the self-help Authenti-Check access recovery feature and the Help Desk-assisted One Time Password feature can be used regardless of whether a machine is currently connected to the corporate network.

Reporting

1) What information do endpoints report back to the central management console?

All endpoints report information to the GuardianEdge Hard Disk Encryption server, providing a centralized, aggregated view of the state of endpoint encryption throughout an enterprise deployment. This information includes: User accounts per machine Administrative accounts per machine Timestamp of last check-in by a machine to the server State of drive and partition encryption on a machine.

2) How can I know if a system has been subject to a “brute force” or other similar attack?

GuardianEdge Hard Disk Encryption logs all user and administrative authentication attempts to the Windows Event Log on the local machine. These logs provide comprehensive data regarding all authentication attempts, including user names, success or failure, reason for failure, and timestamp. GuardianEdge Hard Disk Encryption protects against brute force authentication attempts at the pre-boot logon dialog by implementing an automatic delay after the administrator-defined threshold for unsuccessful logon attempts has been exceeded.

3) Can an endpoint that goes lost or missing be locked out from all user access?

Yes. Through policy, machines can be required to “check in” to the GuardianEdge Hard Disk Encryption server periodically. A machine that exceeds the administrator-defined reporting interval will be automatically locked out to all user accounts.

4) Is there an audit trail that shows what users are registered on what endpoints?

Yes. All endpoints report information to the GuardianEdge Hard Disk Encryption server, providing a centralized, aggregated view of the state of endpoint encryption throughout an enterprise deployment. This information includes both user and administrative accounts per machine.

5) Is there an audit trail proving that an endpoint is encrypted?

Yes. All endpoints report information to the GuardianEdge Hard Disk Encryption server, providing a centralized, aggregated view of the state of endpoint encryption throughout an enterprise deployment. This information includes the state of drive and partition encryption on a machine.

How Does GuardianEdge Compare?

1) How is GuardianEdge’s solution different that Microsoft Vista Bitlocker?

Bitlocker and GuardianEdge Hard Disk Encryption are two completely different classes of product. Bitlocker is a relatively immature, difficult to deploy and manage first generation product. GuardianEdge Hard Disk Encryption is a mature, robust product with hundreds of successful enterprise deployments over the past ten years. Microsoft BitLocker is a first-generation disk encryption product. Bitlocker:

Runs only on certain versions of the Vista operating system.

Requires IT administrators to create a special partition on the system boot drive for all endpoints.

Requires either a TPM module, or a USB Flash drive to store logon keys. If TPM is used, TPM modules must be deployed, activated and managed on all protected endpoints (Microsoft does not provide a management solution for TPM).

Does not include a management console. Microsoft does not provide a central management console for BitLocker. In order to escrow recovery keys from BitLocker endpoints, Microsoft requires the modification of the enterprise Active Directory schema.

By contrast, GuardianEdge Hard Disk Encryption:
Leverages the existing enterprise infrastructure and is designed from the ground up for the best security with the lowest total cost of ownership.

Runs on all Microsoft endpoint operating systems that Microsoft provides support for today (Windows 2000, XP Professional and Vista), and requires no additional hardware or software to deploy and manage thousands of endpoints.

Has an enterprise class management console tightly integrated with Active Directory, does not require the extension of the enterprise Active Directory schema, and provides a common interface for management of all GuardianEdge data protection solutions, including Hard Disk Encryption, Removable Storage Encryption, and Device Control.

2) What makes GuardianEdge different from other full disk encryption software vendors?

GuardianEdge Technologies is a trusted and proven partner to large organizations looking to reduce the cost and complexity of deploying and managing enterprise-class encryption across multiple mobile devices. GuardianEdge Technologies' successful track record of more than 13 years of encryption experience has attracted an international customer base of large corporations, government agencies, the US military, universities and other institutions, with more than 2 million seats sold.

The GuardianEdge Data Protection Platform is the most comprehensive and tightly integrated management solution for endpoint data protection within the enterprise available today. It provides unsurpassed integration with Microsoft Active Directory and central management of all GuardianEdge endpoint data protection solutions, including GuardianEdge Hard Disk Encryption.